That's the overarching thing businesses need to bear in mind when signing on with cloud computing vendors, according to Matthew A. Karlyn, a partner at Foley & Lardner. Karlyn's legal work focuses on IT, outsourcing, privacy, security, and information management matters. He notes that traditional contracts for on-premises technology simply don't address the same needs and risks inherent in infrastructure and applications hosted by an offsite vendor. Karlyn said he fields at least a couple calls a week from clients with cloud access, security, or other issues where they believe the vendor is at fault.
"It happens all the time, and the first place we always turn is to the contract," Karlyn said.
Small and midsize businesses are reviewing and signing plenty of those contracts in 2011: $11 billion worth worldwide, according to a current Techaisle estimate. Certainly, consult with your own legal counsel on contract matters. But it's a good idea to have in-house knowledge, too--it can help you develop a sharper vendor selection process, ease fears around moving to the cloud, and ensure productive outcomes from doing so.
The "unfortunate reality" for some SMBs, according to Karlyn, is that their cloud contracts--particularly for smaller deals--will be non-negotiable. In those cases, it's important to develop sound internal risk management processes. As the size, volume, and complexity of cloud contracts grow, however, SMBs should find their leverage increasing: "You will have a lot more success reducing that risk to you and pushing some of that risk over to the other side," Karlyn said.
Karlyn said it's crucial for any business to read the fine print before moving critical functions to the cloud. Here are four key ideas he recommends paying particular attention to when reviewing vendor contracts.
Page one isn't necessarily the place to start.
There are three related areas Karlyn prioritizes in any cloud contract review: service availability, service level, and data security. That doesn't mean those areas are front and center in the document, however.
"It's usually somewhere in the back," Karlyn said. "I'd be printing [the contract] out, grabbing a highlighter, and running to the service availability, service level, and security sections. That's where my editing and comments would really begin."
Karlyn notes that acceptable definitions of service availability, service level, and data security might vary for different businesses. "What you as a customer are looking for is an extraordinary amount of uptime," he said. "That's what you're paying for, right?"
Some specific items worth getting right: Make sure you clearly understand the vendor's definition of planned or permitted downtime--as opposed to unexpected outages--for maintenance and other reasons, as well as how and when the vendor schedules it. No detail is too small: If your team is based on the east coast and the vendor is on the west coast, for example, take time zones into account. Also ensure you're comfortable with the vendor's stated policies and rules for what happens when there's an unplanned outage or a security breach.
Have a business continuity plan.
Data availability and security are two of the most commonly cited concerns of businesses hesitant to move critical applications to the cloud. Planning can go a long way to reducing risk and the fears that come with it. Karlyn advises making sure you have some way to access your data in the event of unexpected downtime.
"Whether it's for a minute or a few hours--whatever it is--make sure there's a plan in place to remedy the situation extraordinarily quickly," Karlyn said.
Take the long view.
Cloud-based systems are sometimes touted for faster release cycles than their on-premises counterparts, particularly when it comes to software. That can mean more frequent updates and improvements. If you move key applications to the cloud, Karlyn recommends having a clear contractual understand on what maintenance and upgrades you're entitled to over time--and what, if anything, you'll have to pay for them.
"It's an issue that customers should be aware of to make sure that the vendor is required to improve the service over time," Karlyn said.
Know what happens if you and the vendor part ways.
Karlyn believes the theoretical cost advantages of cloud computing can be misconstrued: "I cringe when people say it's cheap," he said. "It's more cost-effective, but it's not cheap because there are risks involved with it. Those risks, if they get triggered, can be very expensive."
A fundamental risk: While Karlyn advises businesses to retain as much power over their data as possible in vendor contracts, moving critical applications to the cloud precludes complete control. That's true from the start of the contract, but it's also a good idea to ask: What happens at the end of this contract? Put another way: If your company and a vendor part ways at some point, what happens with your data?
"In the event that the contract terminates, you need to get your data back quickly, you need to get all of it back, and it needs to be returned to you in some meaningful way," Karlyn said. "You want to structure your contracts so that those requirements are very clear."
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Read our report now. (Free registration required.)